Error while running VersityGW pointing to Google Cloud Storage as S3 backend

[santymk]

Hello team,

As we know, GCS provides interoperability APIs : https://cloud.google.com/storage/docs/interoperability which allows AWS SDKs, CLIs, etc to work with GCS seamlessly.

I enabled this interoperability in my GCP project, generated the requried HMAC access and secret key.

I could successfully perform operations such as list buckets, make bucket, etc using AWS CLI with above keys.

However, when I use the same keys when running VersityGW with S3 backend, I'm getting a 403 error saying

The request signature we calculated does not match the signature you provided. Check your Google secret key and signing method.

Can someone please help what I'm missing?

Sharing the details of the command I ran:

./versitygw --access myaccess --secret mysecret s3 --access <GCS Access key> --secret <GCS Secret key> --endpoint https://storage.googleapis.com --region auto

[benmcclelland]

@santymk Can you try setting the environment variable to enable legacy data integrity as described here: https://github.com/versity/versitygw/wiki/S3-Backend#data-integrity-compatibility

export AWS_REQUEST_CHECKSUM_CALCULATION=WHEN_REQUIRED

[santymk]

Thanks for the reply @benmcclelland . Unfortunately, setting the env variable didn't help. I tried to debug the process locally but couldn't make much progress. I suspect the issue is with signing the requests by AWS Go SDK. I'm just performing a simple list buckets operation and not working with any data upload or download. Interestingly the list bucket operation works fine with AWS CLI.
That leads me to believe that I'm not missing any configurations in the GCP console.

It would be great if someone can try reproducing the issue.
If it helps, I'm sharing the complete error message that's getting received by the internal httpclient the AWS Go SDK uses:

<Error>
    <Code>SignatureDoesNotMatch</Code>
    <Message>Access denied.</Message>
    <Details>The request signature we calculated does not match the signature you provided. Check your Google secret key and signing method.</Details>
    <StringToSign>AWS4-HMAC-SHA256
20250401T133152Z
20250401/auto/s3/aws4_request
fc463bb5f95_<truncated>_</StringToSign>
    <CanonicalRequest>GET
/
continuation-token=&amp;max-buckets=10000&amp;prefix=&amp;x-id=ListBuckets
accept-encoding:identity,gzip(gfe)
amz-sdk-invocation-id:b816bdcf-bab2-4c91-bbd9-997a200148bf
amz-sdk-request:attempt=1; max=3
host:storage.googleapis.com
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date:20250401T133152Z

accept-encoding;amz-sdk-invocation-id;amz-sdk-request;host;x-amz-content-sha256;x-amz-date
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855</CanonicalRequest>
</Error>

[benmcclelland]

I'm not sure that --region auto is a valid region? What region are you using with aws cli? All of the google docs list us-central1 as the example default region.